The Blog

Windows 10 | Point and Print printer installation prompt UAC

We came across a strange issue today on Windows 10 devices that we haven’t seen since the Windows Vista days. Users has started to get prompts for User Account Control(UAC) when connecting to some printers. The Point and Print feature is responible for this as it easily allow standard users to install printer drivers from trusted print server.

This security update resolves vulnerabilities in Microsoft Windows. The more severe of the vulnerabilities could allow remote code execution if an attacker is able to execute a man-in-the-middle (MiTM) attack on a workstation or print server, or set up a rogue print server on a target network.

Windows 10 Point Print UAC Prompt Cause

Microsoft as tightened the requirement for printer drivers on print servers.

Following MS16-087 installation, you receive a UAC prompt and a Connect to Printer error after a printer installation attempt. (A policy is in effect on your computer which prevents you from connecting to this print queue. Please contact your system Administaor)

Here’s the list of the specific KB per OS that create the issue :

KB3163912

Windows 10

KB3172985

Windows 10 v1511

KB3170455

Windows Vista

Windows 7

Windows 8.1

Windows Server 2008

Windows Server 2008 R2

Windows Server 2012

Windows Server 2012 R2

How to fix it

Part 1

Part 1 of the solution is available in the October 2016 Preview of Monthly Quality Rollup available for all operating system except Windows 10 (October 16th). Microsoft has released an update that lets network administrators configure policies that permit the installation of print drivers that they consider are safe. This update also allows network administrators to deploy printer connections that they consider safe.

Note

If you are not familiar with preview updates, take a look at the following blog post.

This mean, if you are facing the issue, the official fix for it will be available for production use on the next Patch Tuesday (November 8th) as part of the Monthly Quality Rollup.

Important

**Update 2016/11/10** Microsoft as released an update that was in preview in Octobre 2016. KB3197868 https://support.microsoft.com/en-ca/kb/3197868 After testing, it’s working as excepted. The second GPO part still required to make this work.

Contributor of System Center Dudes. Based in Montreal, Canada, Senior Microsoft SCCM consultant, working in the industry for more than 10 years. He developed a strong knowledge of SCCM and MDT to build automated OS deployment solution for clients, managed large and complexe environment, including Point of Sale (POS) related projects.

After some testing this does in fact work. What doesn’t make a whole lot of sense and i’m tired so i’m not going to push much further, is that when I seperate 2 GPO’s (1 for computer = this one, and then 1 for Users = printer deployment) it doesn’t work. When I put these 2 together it does work. Working is working, so good enough for now. Thanks for your notes here